deleteAcl() method of IamPersistent\MongoDBAclBundle\Security\Acl\MutableAclProvider does not work completely well

[kamil-jakubowski]

IamPersistent\MongoDBAclBundle\Security\Acl\MutableAclProvider::deleteAcl($objectIdentity) removes all object identities related with deleting ACL from acl_oid collection, but does not remove entries from acl_entry.

I wanted to write a function that rebuild my applications ACLs for chosen entities. (So delete all object and class-scope ACL entries, and insert a new ones). Here is my test code:

$entities = $entityRepo->findAll();
        foreach($entities as $entityObject)
        {
            $objectIdentity = ObjectIdentity::fromDomainObject($entityObject);

            $aclProvider->deleteAcl($objectIdentity); // delete
            $objectAcl = $aclProvider->createAcl($objectIdentity); // create new

            $user = $entityObject->getUser();
            $userIdentity = UserSecurityIdentity::fromAccount($user);

            // privs for Author
            $objectAcl->insertObjectAce($userIdentity, MaskBuilder::MASK_OPERATOR);

            $aclProvider->updateAcl($objectAcl);
        }

I've cleared manually both mongo collections and run the function. That is the result:

{ "_id" : ObjectId("52a48450ac8678dd1a000001"), "aceOrder" : 0, "securityIdentity" : { "username" : "some_email@email.com", "class" : "Zeno\\UserBundle\\Document\\User" }, "mask" : 32, "granting" : true, "grantingStrategy" : "all", "auditSuccess" : false, "auditFailure" : false, "objectIdentity" : DBRef("acl_oid", ObjectId("52a48450ac8678dd1a000000")) }
{ "_id" : ObjectId("52a48450ac8678dd1a000003"), "aceOrder" : 0, "securityIdentity" : { "username" : "some_email@email.com", "class" : "Zeno\\UserBundle\\Document\\User" }, "mask" : 32, "granting" : true, "grantingStrategy" : "all", "auditSuccess" : false, "auditFailure" : false, "objectIdentity" : DBRef("acl_oid", ObjectId("52a48450ac8678dd1a000002")) }
{ "_id" : ObjectId("52a48450ac8678dd1a000005"), "aceOrder" : 0, "securityIdentity" : { "username" : "some_email@email.com", "class" : "Zeno\\UserBundle\\Document\\User" }, "mask" : 32, "granting" : true, "grantingStrategy" : "all", "auditSuccess" : false, "auditFailure" : false, "objectIdentity" : DBRef("acl_oid", ObjectId("52a48450ac8678dd1a000004")) }
> db.acl_oid.find()
{ "_id" : ObjectId("52a48450ac8678dd1a000000"), "identifier" : "52a09c2aac8678fb06000000", "type" : "Zeno\\MedicalJournalBundle\\Document\\Pain", "entriesInheriting" : true }
{ "_id" : ObjectId("52a48450ac8678dd1a000002"), "identifier" : "52a09e3bac8678be70000000", "type" : "Zeno\\MedicalJournalBundle\\Document\\Pain", "entriesInheriting" : true }
{ "_id" : ObjectId("52a48450ac8678dd1a000004"), "identifier" : "52a09ed0ac86788d74000003", "type" : "Zeno\\MedicalJournalBundle\\Document\\Pain", "entriesInheriting" : true }

So everything was fine. Three identity objects, three entries.

But after second call of the function:

> db.acl_entry.find().length()
6
> db.acl_oid.find().length()
3

> db.acl_entry.find()
{ "_id" : ObjectId("52a48450ac8678dd1a000001"), "aceOrder" : 0, "securityIdentity" : { "username" : "some_email@email.com", "class" : "Zeno\\UserBundle\\Document\\User" }, "mask" : 32, "granting" : true, "grantingStrategy" : "all", "auditSuccess" : false, "auditFailure" : false, "objectIdentity" : DBRef("acl_oid", ObjectId("52a48450ac8678dd1a000000")) }
{ "_id" : ObjectId("52a48450ac8678dd1a000003"), "aceOrder" : 0, "securityIdentity" : { "username" : "some_email@email.com", "class" : "Zeno\\UserBundle\\Document\\User" }, "mask" : 32, "granting" : true, "grantingStrategy" : "all", "auditSuccess" : false, "auditFailure" : false, "objectIdentity" : DBRef("acl_oid", ObjectId("52a48450ac8678dd1a000002")) }
{ "_id" : ObjectId("52a48450ac8678dd1a000005"), "aceOrder" : 0, "securityIdentity" : { "username" : "some_email@email.com", "class" : "Zeno\\UserBundle\\Document\\User" }, "mask" : 32, "granting" : true, "grantingStrategy" : "all", "auditSuccess" : false, "auditFailure" : false, "objectIdentity" : DBRef("acl_oid", ObjectId("52a48450ac8678dd1a000004")) }
{ "_id" : ObjectId("52a48494ac8678f01a000001"), "aceOrder" : 0, "securityIdentity" : { "username" : "some_email@email.com", "class" : "Zeno\\UserBundle\\Document\\User" }, "mask" : 32, "granting" : true, "grantingStrategy" : "all", "auditSuccess" : false, "auditFailure" : false, "objectIdentity" : DBRef("acl_oid", ObjectId("52a48494ac8678f01a000000")) }
{ "_id" : ObjectId("52a48494ac8678f01a000003"), "aceOrder" : 0, "securityIdentity" : { "username" : "some_email@email.com", "class" : "Zeno\\UserBundle\\Document\\User" }, "mask" : 32, "granting" : true, "grantingStrategy" : "all", "auditSuccess" : false, "auditFailure" : false, "objectIdentity" : DBRef("acl_oid", ObjectId("52a48494ac8678f01a000002")) }
{ "_id" : ObjectId("52a48494ac8678f01a000005"), "aceOrder" : 0, "securityIdentity" : { "username" : "some_email@email.com", "class" : "Zeno\\UserBundle\\Document\\User" }, "mask" : 32, "granting" : true, "grantingStrategy" : "all", "auditSuccess" : false, "auditFailure" : false, "objectIdentity" : DBRef("acl_oid", ObjectId("52a48494ac8678f01a000004")) }
> db.acl_oid.find()
{ "_id" : ObjectId("52a48494ac8678f01a000000"), "identifier" : "52a09c2aac8678fb06000000", "type" : "Zeno\\MedicalJournalBundle\\Document\\Pain", "entriesInheriting" : true }
{ "_id" : ObjectId("52a48494ac8678f01a000002"), "identifier" : "52a09e3bac8678be70000000", "type" : "Zeno\\MedicalJournalBundle\\Document\\Pain", "entriesInheriting" : true }
{ "_id" : ObjectId("52a48494ac8678f01a000004"), "identifier" : "52a09ed0ac86788d74000003", "type" : "Zeno\\MedicalJournalBundle\\Document\\Pain", "entriesInheriting" : true }

> db.acl_entry.find()
{ "_id" : ObjectId("52a48450ac8678dd1a000001"), "aceOrder" : 0, "securityIdentity" : { "username" : "some_email@email.com", "class" : "Zeno\\UserBundle\\Document\\User" }, "mask" : 32, "granting" : true, "grantingStrategy" : "all", "auditSuccess" : false, "auditFailure" : false, "objectIdentity" : DBRef("acl_oid", ObjectId("52a48450ac8678dd1a000000")) }
{ "_id" : ObjectId("52a48450ac8678dd1a000003"), "aceOrder" : 0, "securityIdentity" : { "username" : "some_email@email.com", "class" : "Zeno\\UserBundle\\Document\\User" }, "mask" : 32, "granting" : true, "grantingStrategy" : "all", "auditSuccess" : false, "auditFailure" : false, "objectIdentity" : DBRef("acl_oid", ObjectId("52a48450ac8678dd1a000002")) }
{ "_id" : ObjectId("52a48450ac8678dd1a000005"), "aceOrder" : 0, "securityIdentity" : { "username" : "some_email@email.com", "class" : "Zeno\\UserBundle\\Document\\User" }, "mask" : 32, "granting" : true, "grantingStrategy" : "all", "auditSuccess" : false, "auditFailure" : false, "objectIdentity" : DBRef("acl_oid", ObjectId("52a48450ac8678dd1a000004")) }
{ "_id" : ObjectId("52a48494ac8678f01a000001"), "aceOrder" : 0, "securityIdentity" : { "username" : "some_email@email.com", "class" : "Zeno\\UserBundle\\Document\\User" }, "mask" : 32, "granting" : true, "grantingStrategy" : "all", "auditSuccess" : false, "auditFailure" : false, "objectIdentity" : DBRef("acl_oid", ObjectId("52a48494ac8678f01a000000")) }
{ "_id" : ObjectId("52a48494ac8678f01a000003"), "aceOrder" : 0, "securityIdentity" : { "username" : "some_email@email.com", "class" : "Zeno\\UserBundle\\Document\\User" }, "mask" : 32, "granting" : true, "grantingStrategy" : "all", "auditSuccess" : false, "auditFailure" : false, "objectIdentity" : DBRef("acl_oid", ObjectId("52a48494ac8678f01a000002")) }
{ "_id" : ObjectId("52a48494ac8678f01a000005"), "aceOrder" : 0, "securityIdentity" : { "username" : "some_email@email.com", "class" : "Zeno\\UserBundle\\Document\\User" }, "mask" : 32, "granting" : true, "grantingStrategy" : "all", "auditSuccess" : false, "auditFailure" : false, "objectIdentity" : DBRef("acl_oid", ObjectId("52a48494ac8678f01a000004")) }
> db.acl_oid.find()
{ "_id" : ObjectId("52a48494ac8678f01a000000"), "identifier" : "52a09c2aac8678fb06000000", "type" : "Zeno\\MedicalJournalBundle\\Document\\Pain", "entriesInheriting" : true }
{ "_id" : ObjectId("52a48494ac8678f01a000002"), "identifier" : "52a09e3bac8678be70000000", "type" : "Zeno\\MedicalJournalBundle\\Document\\Pain", "entriesInheriting" : true }
{ "_id" : ObjectId("52a48494ac8678f01a000004"), "identifier" : "52a09ed0ac86788d74000003", "type" : "Zeno\\MedicalJournalBundle\\Document\\Pain", "entriesInheriting" : true }

There was 6 entries and 3 objects. So there were left 3 acl-entries which are pointing on not-existing acl-identities:

{ "_id" : ObjectId("52a48450ac8678dd1a000001"), "aceOrder" : 0, "securityIdentity" : { "username" : "some_email@email.com", "class" : "Zeno\\UserBundle\\Document\\User" }, "mask" : 32, "granting" : true, "grantingStrategy" : "all", "auditSuccess" : false, "auditFailure" : false, "objectIdentity" : DBRef("acl_oid", ObjectId("52a48450ac8678dd1a000000")) }
{ "_id" : ObjectId("52a48450ac8678dd1a000003"), "aceOrder" : 0, "securityIdentity" : { "username" : "some_email@email.com", "class" : "Zeno\\UserBundle\\Document\\User" }, "mask" : 32, "granting" : true, "grantingStrategy" : "all", "auditSuccess" : false, "auditFailure" : false, "objectIdentity" : DBRef("acl_oid", ObjectId("52a48450ac8678dd1a000002")) }
{ "_id" : ObjectId("52a48450ac8678dd1a000005"), "aceOrder" : 0, "securityIdentity" : { "username" : "some_email@email.com", "class" : "Zeno\\UserBundle\\Document\\User" }, "mask" : 32, "granting" : true, "grantingStrategy" : "all", "auditSuccess" : false, "auditFailure" : false, "objectIdentity" : DBRef("acl_oid", ObjectId("52a48450ac8678dd1a000004")) }

I think this is a bug, but I can be wrong. So please tell me if I'm doing something wrong.

[cordoval]

could you please fork SE and plug the bundle and reproduce the problem in your fork? That will easy for taking a look :baby: thanks

[danez]

Can you check if this is fixed in dev-master. I think it should be because of fcbf5276737d8d6d76002b210b3ae8c9809040c0

[cordoval]

@Danez i will take a stab, but just curious it would be a good idea to create a sandbox for this setup, thoughts? so to test, reproduce stuff and show good practices integration

:baby: